Download this free Local Administrator Security Policy template and use it for your organization. Scroll down to the bottom of the page for the download link.
1 WHO ARE THE LOCAL ADMINISTRATORS?
1.1 Local Administrators refer to the security administrators of localized systems
1.2 Local Administrators will be authorized persons appointed by the organization e.g. Assistant Branch Manager/ Sales & Service Manager, all Centre Managers (TFC, CAC, LMC, LOC, ZCBC, SSC, Cheque Processing Centre etc. or any future centres to be set up)
1.3 He/she may delegates this responsibility to another senior officer but accountability shall still rest with him/her
1.4 Local systems refer to all systems not centrally controlled by Organization’s Information Systems Division (ISD)
2 WHAT ARE THE FUNCTIONS OF LOCAL ADMINISTRATORS?
The Local Administrators will be responsible for: –
2.1 Ensuring that information security requirements are implemented in their respective sites
2.2 The administration of logical and physical access controls for computerized information systems and monitoring access violation access reports
2.3 Providing guidelines and procedures to achieve consistence practices and complying to the Organization’s security standard
2.4 Ensuring audit compliance and security controls are met on an on-going basis.
3 AREAS TO BE MONITORED
The security administration of the following areas comes under the jurisdiction of the Local Administrators: –
3.1 Logical Access Controls (Appendix 1)
The objective is to enforce segregation of duties by ensuring individuals can only access data and perform processing to which they have been authorized
3.2 Physical Security Controls (Appendix 2)
The objective is to prevent unauthorized access to computer related equipment and to ensure that the computer related equipment is adequately protected against natural hazards and malicious damage.
3.3 Computer Operations (Appendix 3)
The objective is to ensure that operational procedures are adhered to. These operational procedures are to ensure the continuity of processing, minimizing the risk of disruption to computer services and to ensure that jobs are processed in an authorized manner
3.4 Change and Configuration Management (Appendix 4)
The objective is to ensure a means of identifying and controlling the modification of individual components items that together constitute the local system
3.5 Management of Ids Kept Under Custody (Appendix 5)
The objective is to provide a guideline on those critical Ids to be kept by an appointed custodian (e.g. Branch Manager, Heads of Department and Local Administrator) to ensure back-up for continuity of organizationing operations/services
4 BREACHES IN SECURITY CONTROLS
IS Local Administrator is to ensure branch conform to the Organization’s security standard. Any security breach and unsatisfactory audit rating in computer security will be taken into consideration in their performance appraisal.
The following documents will be relevant: –
- Logical Access Controls
- Physical Security Controls
- Computer Operations
- Change and Configuration Management
- Management of IDs Kept Under Custody
- Information Systems Security Policy
6.1 All staffs are required to comply with this security policy and its appendices. Disciplinary actions including termination may be taken against any Organization staffs who fail to comply with the Organization’s security policies, or circumvent/violate any security systems and/or protection mechanisms.
6.2 Staff having knowledge of personal misuse or malpractice of IT Systems must report immediately to management and IT Security.
6.3 Organization’s staff must ensure that Organization’s contractors and others parties authorized by the Organization using its internal computer systems, comply with this policy.
6.4 Where the role of the service provider is outsourced to a vendor, the outsourced vendor should ensure compliance with this policy.
Logical Access Control
To enforce segregation of duties by ensuring individuals can only access data and perform processing to which they have been authorized.
2 FOCUS AREA
There are three main areas of focus: –
2.1 ADMINISTRATOR IDs
2.1.1 Administrators privileges will only be given to authorized persons appointed by the organization
2.1.2 The number of IDs with administration privileges must be limited to 2 for each locations
2.1.3 The name of the primary administrator and secondary administrator must be properly documented
2.1.4 Default passwords for Administrator IDs must be changed to be unique and know only to the IS Local Administrators
2.1.5 Under no circumstances shall the administrator share his or her IDs with anyone without proper hand over process
2.1.6 Any modification performed by the Administrator IDs will be deemed done by the administrator unless proven otherwise
2.2 ID STANDARDS
2.2.1 All IDs issued on IBM mainframe must comply with Organization’s ID naming convention, i.e. the MEMO ID naming convention
2.2.2 This is to ensure each staff will only have 1 ID and facilitate the housekeeping process when the staff is transferred, resigned or retired
2.2.3 All IDs issued on non-mainframe platform should be issued according to the standards agreed upon for the system or application
2.3 IS MAINTAINANCE
2.3.1 Removal Of Ids
All means of access (IDs, Password, Magnetic Smart Card) to information kept on the computer systems shall be taken away from every staff who has tendered his/her resignation or whose services has been terminated.
2.3.2 Segregation Of Duties
Administrators must ensure that IDs given to staff has no conflict or incompatible with their actual duties of the staff, e.g. clerk given ID with manager or officer privileges.
2.3.3 Overlapping Of Functions
All privileges given to ID must be revoked or review when the owner is assigned new functions. This is to prevent overlapping of function where a staff assigned to JOB B still have special privileges to do JOB A.
2.3.4 Transfer Of IDs
IDs given are meant for the owner only. Therefore IDs must not be allowed to be passed down from a resigned, transferred or retired staff to an existing staff without first reviewing the access given to the ID and changing the name of the ID’s owner.
2.3.5 Sharing Of IDs
All IDs must have an owner. Under no circumstances should IDs be shared. Even if IDs are required for a certain functions that will be use by a group of people, the group leader will be made owner of the ID. This is to ensure accountability for usage of all IDs issued by Organization.
2.3.6 Development Or Test Ids
All IDs that were used in the development and the testing of a system must be removed once the exercise in completed. Only IDs that are relevant for the production system are allowed to reside in the production environment.
2.3.7 Matrix For Ids
All IDs in the system must be given according to the predefined ID matrix. Any changes in ID functions must be updated onto the matrix for IDs. User Access Matrix must be endorsed by management.
2.3.8 User ID Register
For IDs which user profiles do not contain the name and PF number of the staff, a “User ID Register” must be, maintained. The following particulars must be recorded: –
a) Name of staff
b) PF number of staff
c) Date issued (of ID)
d) Date receipt (of ID)
e) Acknowledged receipt by staff
f) Acknowledged return by staff
This register is to ensure non-repudiation.
Physical Security Control
To prevent unauthorized access to computer related equipment and to ensure that the computer related equipment is adequately protected against natural hazards and malicious damage.
2 FOCUS AREA
There are three main areas of focus: –
2.1 Physical Access To Computer Room
2.1.1 Each site must have a computer room to store critical computer related equipment, e.g. server, UPS, modems, etc.
2.1.2 Computer room must be locked at all times.
2.1.3 Keys to the computer room must be held by the IS Local Administrator.
2.1.4 The administrator must ensure all staff accessing the computer room must register themselves in “Entry Register Book” before access is given.
2.1.5 Access to the computer room by non-staff must be controlled to ensure that: –
a) they are bona fide staff of the contractor b) they have been authorized by the contractor c) they have been approved by the relevant heads of department d) they are escorted by a member staff
2.1.6 Entry Register Book” must contain the following: –
a) Name of visitor b) Purpose of visit c) In time d) Out time e) Date f) Signature of visitor
2.2 Power Supply
Administrators must ensure that there is an uninterrupted power supply (UPS) or battery back up for the critical servers.
UPS must be subjected to periodical maintenance and testing.
2.3 Control Of Storage Media
2.3.1 Storage media, e.g. diskettes, tapes, etc. must be kept in a secured and preferably fire proof area.
2.3.2 Access to storage media must be controlled and only granted to authorize staff.
2.3.3 Movement of storage media in and out of storage must be logged.
2.3.4 The logged must contain the following information: –
a) Name of storage device b) Date c) Purpose of withdrawal d) Withdrawal time e) Deposit time f) Name of staff g) Authorized signature
The operational procedures are to ensure continuity of processing, minimising the risk of disruption to computer services and to ensure that jobs are processed in an authorised manner.
2 FOCUS AREA
There are three areas of focus: –
2.1 Backup Storage Media Protection
2.1.1 Copies of backup files must be kept in the storage area once the backup process is completed.
2.1.2 Storage media must be properly labelled to identify the contents.
2.1.3 Centralised inventory listing of all storage media must be maintained by the administrator.
2.1.4 Inventory check must be done annually and tested to ensure it is in working condition.
2.1.5 Monitoring movement of storage media.
2.2 Frequency And Retention Of Backups
2.2.1 Administrators must ensure that all backups and done regularly at the appropriate intervals.
2.3 Recovery And Restart
2.3.1 Administrator must be aware of escalation procedure in the event of system failure.
2.3.2 Recovery and restart procedures must be properly understood and documentation stored got easy retrieval.
2.3.3 Administrators must ensure the backup media that would overwrite existing production fact must be obtained from Data Owners.
Change and Configuration Management
To ensure a means of identifying and controlling the modification of individual components items that together constitute the local system.
2 FOCUS AREA
There are four main areas of focus: –
2.1 Change Management Authorization
2.1.1 The administrator is to ensure the following information before allowing any changes to be made to their local systems: –
a) What is to be change b) Description of change c) Who has authorized the change d) Impact of change
2.2 Change Implementation
2.2.1 The administrator should get the following from the change agent: –
a) A sign-off from the change agent that the implementation of the change is successful b) Problem management procedure in case of complications caused by change
2.3 Change Management For Third Parties
2.3.1 The administrator should ensure the following: –
a) The third party formally schedules and communicate all deliveries b) Proof that prior acceptance of the change has been approved by Information Systems Division (ISD).
2.4 Configuration Management
2.4.1 The administrator should ensure: –
a) No configuration for computer equipment is change without prior approval by ISD b) Confirmation if any changes has been made to the configuration of the server after a change exercise. c) That documentation for server configuration is up to date.
Under no circumstances should the administrator change the configuration of systems without prior approval.
Management of IDs Kept Under Custody
This guideline provides a standard on which user IDs under custody should be maintained.
2 DEFINITION OF IDs UNDER CUSTODY
IDs kept under custody refer to IDs kept by a trusted person who is known as the custodian. Custody IDs are not used by the custodian but rather held by the custodian for safekeeping.
3 WHO ARE ID CUSTODIANS?
Custodians can be anybody who is accountable for IDs given to them for safekeeping. This include Branch Managers, Head of Departments, Local Administrators, etc.
4 WHAT ARE THE DUTIES OF A CUSTODIAN
The custodians of IDs must ensure the confidentiality, integrity and availability of the IDs.
Password must not be known to anyone except the custodian. Once password is exposed it must be changed immediately.
IDs must be properly labelled and updated to ensure accuracy of its password
The custodians must ensure that passwords held by them are available for use as and when needed. Therefore, all custodians should have a backup in case of emergency.
5 MANAGEMENT OF IDS UNDER CUSTODY
The following guidelines must be enforced for all IDs under custody:
5.1 Storage of IDs
a) Passwords of IDs must be stored in a secured area. Secured area is defined as a place where access to the area is controlled. b) Password should be stored in compartmentalised method so that exposure of one password will not jeopardise the others. One way of compartmentalising passwords is storing the password in a sealed, signed, labelled and dated envelope.
5.2 Divulgence of password
a) When a password for an ID is required, proper approval must be obtained before divulging such passwords. Approvals must be documented. b) All passwords divulged must have issuance date and expiry date recorded. On the expiry date it is the duty of the custodian to revoked the password. c) After divulging a password, the administrator must change the password once the ID is returned. d) Change of password is documented and updated.
5.3 Availability of IDs
a) The custodian must ensure the availability of IDs at all times. If the custodian is going to absent for a period of time or permanently, controls of the passwords must be handed over to the relieve officer. b) Handling over of the custody of IDs must be documented and approved. c) For critical systems, the passwords must be available at all time.
6 CONTROLS OF IDS
Every time a password is divulged, the following information must be documented:
a) Name of the requester b) PF number of requester c) Date issued d) Date returned e) Acknowledge received by custodian
7 APPROVAL FORM
Where possible, approval should be via CHANGE. Where such facilities are not available, the REQUEST FOR PASSWORD form should be used.
Click here to download Local Administrator Security Policy template.